I use hashcat for this. This function is available on computers with or without GPUs.

You might want to use what's called a mask attack. You can run this all from the command line in a single shot or you can crate a file with a list of masks to try multiple iterations.

You can use pre-defined wild card characters (called charsets) or even create your own. Here are a few pre-defined ones:

?u = uppercase A-Z

?l = lowercase a-z

?d = 0-9

?a = uppercase, lowercase, digits, special characters

For your example above, the following command would work:

hashcat -a 3 -m 99999 --stdout 'P@$sW0rD?a?a'

Another way to do it would be to create a dictionary file with the word 'password' in it and then run hashcat as a dictionary attack with a nice set of rules to mutate the word. That would look like this:

hashcat -a 0 -m 99999 --stdout wordlist.txt -r rules.txt

Some good rule sets to look for are hob64 and oneruletorulethemall.

Finally, and maybe most effective, would be to use a combination of these two. If I was going hard on this, I would create a custom mask file to try multiple mutations of the word password. I would then run the output of that through the rule based attack.

Burp will also give you some nice alerts if it observes a failure in the TLS negotiation.

​

In terms of bypassing the pinning, I haven't worked with okhttp3 before, but the blog you link uses a tactic that has worked for me with other modules. But definitely try the xposed module first, it has been pretty reliable recently and is quicker/easier.

3.) Perhaps they had a logged-in session to your Amazon account that was not reset at the time of password change? Amazon should be invalidating all sessions when you change your password, but maybe they are not.

Sorry I'm late to this party. I'm the developer of the tool (evil-ssdp) that exploited this vulnerability in Plex, Vuze, and a handful of other apps.

Interesting conversation above, and of course everyone knows about more about their home network than I do, so I won't argue any of those points.

Here is where I see this vulnerability being exploited:

- Someone has Plex (or another vulnerable app) on a portable computer, like a laptop, and they bring it to work or connect to a public wifi. Not common, but I've seen it.

- Someone gains access to your home wifi via their own device and then uses this vuln to crack the password for the account you use to log on to your computer. They go from just having access to your bandwidth to having access to much more.

- Less likely, someone has already compromised a device on your home network and they use this to spread. I say less likely as for most people this would mean their primary device (PC) is ALREADY compromised.

Of course, once an attacker gets onto your home network there are more options for escalating their privileges - this is just one of them, and it is pretty effective.

Perhaps my passphrase cracking project will help. The phrase you are trying to crack may already be in my dictionary, and the rules I provide could be used as is or tweaked slightly to meet your use case.

When you say you're trying to open an elevated console, does that mean you have a working low-privilege logon now? If so, you'll want to work through standard privilege escalation steps. There are some great blogs on this already, check some out here:
http://www.fuzzysecurity.com/tutorials/16.html

In terms of netsec, the human parameter is often the weakest defense. Attackers will use technique likes this to gather intelligence and attempt to guess working credentials or socially engineer valid users.

If you are running something else, it's also pretty straight forward. You can download pre-compiled binaries here: https://hashcat.net/hashcat/. Configuring your GPU drivers is going to be very different depending on your operation system and card. You can probably find a good walk-through for your specific setup just by Googling your OS + your card + hashcat drivers.

Agreed, I've been working on building a multi-word passphrase wordlist for more sophisticated attacks. Honestly, though, I use it and don't get many hits. I still find most of the passwords I need using old wordlists with crappy 1-word passwords.

Nice write up! In some entry level web pen courses instructors will load up a nice old 'snake' flash game and give it to students to play around with. Definitely fun to play around with. Though flash may be going by the wayside (EoL 2020), the practice for intercepting, analyzing, and replaying payloads is a great skill for pentesters.

I have spoken to someone at UPS' tech support, and he's escalated this to third level, having succeeded in creating a text account using a Protonmail account. I have a ticket number, and will call again if I hear nothing in ten days.

Good luck! I'd suggest working hard to design the presentation to be easily understood by non-technical folks. Something very visual that is relevant to their own life - MiTM attack over wifi could be cool as it will make them think about what happens to them on public networks.

But definitely focus on the "simple". I remember doing a junior-high project on FTP and Gopher back in the early 90s and getting a room full of blank stares.:)

Anyone who goes that far has serious issues. I wonder at what point(if at all) it crosses illegal wiretapping laws. It's not unusual for networks to be monitored but bypassing security features(by installing custom certs to be able to man in the middle https) and not giving disclosure I think are major issues even if they were spouses or kids.

Ha! I didn't think anyone would take the blog that way... this would be a really crappy way to spy on a phone that isn't yours. It's more about learning how the apps interact with their overlords, as well as learning Burp for pentesting.

Yep, agreed. This blog is really meant as a way for folks to learn a little bit about penetration testing. The next step would be to start modifying the requests in transit, to search for vulnerabilities in the app/API.